[Users] Questions on ovirt 3.3 browser based spice/novnc working
Alon Bar-Lev
alonbl at redhat.com
Thu Aug 1 18:07:39 UTC 2013
If you install the proxy on the engine machine you just need:
# yum install ovirt-engine-websocket-proxy
# engine-setup
then answer yes when prompt if you like to configure websocket proxy.
you can execute engine-setup again even if you already installed.
----- Original Message -----
> From: "Dead Horse" <deadhorseconsulting at gmail.com>
> To: "<users at ovirt.org>" <users at ovirt.org>
> Sent: Thursday, August 1, 2013 9:01:47 PM
> Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working
>
> After Referencing:
> http://www.ovirt.org/Features/noVNC_console
> http://www.ovirt.org/Features/SpiceHTML5
>
> and looking at some of the related engine code.
>
> I am still attempting to get the spice/novnc browser based consoles to work.
>
> I am working from a build from master yesterday I used to upgrade over a
> previous 3.3 master build from about a month back.
>
> VDSM version on host is 4.12.0 built minutes ago.
>
> I have installed and configured the websocket proxy like so:
>
> Set WebSocketProxy to engine ENGINEIP port 6100
> engine-config -s WebSocketProxy=ENGINEIP:6100
>
> /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy
> --password=install --subject="/C=US/O=DHC/CN=ENGINEFQDN"
>
> This generates:
> /etc/pki/ovirt-engine/keys/websocket-proxy.p12
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer
> /etc/pki/ovirt-engine/requests/websocket-proxy.req
>
> However it does not generate the key that websockify wants so we do:
> openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out
> /etc/pki/ovirt-engine/keys/websocket-proxy.key
>
> The configuration of ovirt-websocket-proxy:
> PROXY_HOST=*
> PROXY_PORT=6100
> SOURCE_IS_IPV6=False
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key
> FORCE_DATA_VERIFICATION=False
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
> TRACE_ENABLE=False
> TRACE_FILE=
> ENGINE_USR="/usr/share/ovirt-engine"
>
> Install spice-html5
> git clone http://anongit.freedesktop.org/git/spice/spice-html5.git
> mv spice-html5 /usr/share
>
> Test spice:
> In Webadmin UI we set create a VM, set display as spice, start it and set
> it's console to spice-html5.
> Result spice-html client opens in a new tab but does not connect.
>
> From engine.log:
> 2013-08-01 12:49:52,352 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
> (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal: false.
> Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
> 2013-08-01 12:49:52,371 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
> ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
> vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=TKfzUQJLLrUI,
> validTime=120,m userName=admin at internal,
> userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 5d258049
> 2013-08-01 12:49:52,445 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: 5d258049
>
> Test novnc:
> In Webadmin UI we set create a VM, set display as VNC, start it and set it's
> console to novnc.
> Result novnc client opens in a new tab but does not connect, but does display
> error: "Server disconnected (code: 1006)
>
> From engine.log:
> 2013-08-01 12:50:44,800 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
> (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal: false.
> Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM
> 2013-08-01 12:50:44,833 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName =
> ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57,
> vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=IPWOWh6U9erd,
> validTime=120,m userName=admin at internal,
> userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: bff6161
> 2013-08-01 12:50:44,917 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (ajp--127.0.0.1-8702-9) FINISH, SetVmTicketVDSCommand, log id: bff6161
>
> I verified connection of both the spice/vnc console directly at the host
> level with a quick connect via virt-viewer.
>
> A quick scan with nmap of engine and host to verify sockets are open:
>
> Nmap scan report for engine
> Host is up (0.0042s latency).
> Not shown: 995 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 111/tcp open rpcbind
> 443/tcp open https
> 6100/tcp open synchronet-db
>
> Nmap scan report for host
> Host is up (0.0045s latency).
> Not shown: 997 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 111/tcp open rpcbind
> 5900/tcp open vnc
>
> For grins I stopped the websocket proxy and manually started a websockify
> like so:
> websockify 3.57.111.11:6100 3.57.111.12:5900
> --cert=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> --key=/etc/pki/ovirt-engine/keys/websocket-proxy.key
>
> WARNING: no 'numpy' module, HyBi protocol is slower or disabled
> WebSocket server settings:
> - Listen on ENGINEIP:6100
> - Flash security policy server
> - SSL/TLS support
> - proxying from ENGINEIP:6100 to HOSTIP:5900
>
> Attempting another connection via
> https://ENGINEFQDN//ovirt-engine-novnc-main.html?host=ENGINEIP&port=6100
> results in:
>
> 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
>
> I should also note in case it matters that the SSLEnabled=false, and
> EnableSpiceRootCertificateValidation are both set as false are set in my
> engine options.
>
> Am I doing something wrong here, I don't see any reason this should not work?
>
> - DHC
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list